EU-U.S. Privacy Shield Framework Found Inadequate. SCCs Still Stand.

On July 16, 2020, the Court of Justice of the European Union (the “CJEU”) issued its judgment in the “Schrems II” matter (case C-311/18)[1] holding that the EU-U.S. Privacy Shield framework (the “Privacy Shield”) is invalid for transferring personal data from the EU to the U.S. The CJEU upheld the validity the Standard Contractual Clauses (the “SCCs”) for transferring personal data from the EU to the U.S.

The Department of Commerce that administers the Privacy Shield issued a press release[2] in which they mentioned that the Department of Commerce will “continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.” The Press release further stated that “[T]oday’s decision does not relieve participating organizations of their Privacy Shield obligations.”

Currently, the main concern for organizations that get personal data from the EU is to assess how personal data from the EU is coming to the U.S. and under what basis, and to sign SCCs with applicable parties. If your organization has been operating under the Privacy Shield, you should promptly put the SCCs in place with all organizations in the EU that may be sharing data with your U.S.-based business.

If you need assistance in this matter, please do not hesitate to reach out to Dawn Newton at Donahue Fitzgerald’s privacy attorneys are committed to providing your business with our best guidance and advice.

[1] EU decision:;jsessionid=1BB97916A72A545FC4947469BF366C5E?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=9856828

[2] DOC press statement: